[00:02.100 --> 00:06.640]  Welcome everyone to my talk today ICS security operations
[00:06.640 --> 00:12.020]  active defense concept with effective incident response in industrial control systems.
[00:14.440 --> 00:20.760]  This is John Kurnas. My name is pronounced as John, which is pretty close in English and John.
[00:21.060 --> 00:28.220]  And I am working as a OT security consultant and I have GICSP, OSCP, OSWPN certified
[00:28.220 --> 00:34.820]  hacker certifications. My bachelor is computer engineering and my master is cyber security.
[00:34.820 --> 00:39.300]  And you can reach me on Twitter and LinkedIn and GitHub as you can see here.
[00:40.180 --> 00:46.160]  I am of course a bit nervous about the presentation and let's take a deep breath
[00:46.160 --> 00:54.680]  and have some relaxation then we can continue. Okay, what's today's agenda? So I will discuss
[00:54.860 --> 00:59.580]  a bit on active defense concept and I will explain briefly threat intelligence,
[00:59.580 --> 01:02.840]  asset identification and network security monitoring,
[01:02.840 --> 01:08.100]  incident response for ICS and then taking the advantage of found threats.
[01:08.920 --> 01:15.660]  So what is active defense concept? It is something like this. Yes, improvising,
[01:15.660 --> 01:24.940]  adapting and overcoming as we agree. But yeah, it is also related to this picture.
[01:25.840 --> 01:31.840]  But in general, what I can explain is somewhere in the middle in here in the picture,
[01:32.220 --> 01:38.200]  it is the process of analysts monitoring for responding to and learning from adversaries
[01:38.200 --> 01:44.800]  internal to the network. So basically that means it is a combination of analyzing
[01:44.800 --> 01:52.480]  the adversaries steps and monitoring constantly to the internal network and then when you see
[01:52.480 --> 02:00.960]  any anomalies responding to that and basically when you see any action, basically create lessons
[02:00.960 --> 02:08.200]  learned and learn from the adversaries. It is not deployable by itself of course,
[02:08.200 --> 02:14.780]  it is built on the top of the good practices such as good architecture and then the passive defense.
[02:15.480 --> 02:21.400]  And it is not definitely a hackback. So you need to stay on your internal network to protect and
[02:21.400 --> 02:26.580]  you do not need to, you do not have to attack back to the adversaries of course.
[02:27.260 --> 02:33.440]  So why active defense is needed? As we can see, at least for a couple of years,
[02:33.440 --> 02:38.540]  traditional methods of protection without constant human interaction such as firewalls,
[02:38.540 --> 02:45.340]  IPS and antiviruses only provides a certain level of security and adversaries are getting
[02:45.340 --> 02:50.670]  stronger and stronger every day and the passive defense usually don't stop them, unfortunately.
[02:52.140 --> 02:59.160]  So let me take a look to the active cyber defense cycle. It consists of four elements,
[02:59.160 --> 03:04.710]  threat intelligent conception and asset identification and network security monitoring.
[03:05.330 --> 03:12.950]  And then incident response when it's necessary and using threat and environment manipulation to
[03:12.950 --> 03:23.070]  get over the adversaries. Basically this diagram is coming from the suns and references down there.
[03:24.070 --> 03:28.670]  So basically the idea is monitoring your area of responsibility
[03:29.870 --> 03:37.190]  which is quite necessary to at least have the, let's say, idea of the getting the baselines then
[03:37.190 --> 03:44.850]  checking the anomalies and that said implementing monitoring will bring you the chance for quick
[03:44.850 --> 03:50.830]  response when it's necessary when you see something odd and responding to incidents and attacks on
[03:50.830 --> 03:57.650]  time is of course crucial because especially on the industrial control systems if it affects
[03:57.650 --> 04:04.410]  the industrial control network it's going to cost you a lot. And constant changes are necessary
[04:04.410 --> 04:11.490]  since you need to beat the adversaries and kick them out of your industrial control network.
[04:12.210 --> 04:17.990]  And after that you need to share and you need to consume the lessons learned. At least you
[04:17.990 --> 04:23.570]  need to share with the community and you need to observe and collect the lessons learned from the
[04:23.570 --> 04:30.430]  community to develop better defenses on your systems, on your ICS.
[04:31.860 --> 04:40.290]  So what is threat intelligence? I'm gonna, I'm trying to explain this pretty quick.
[04:40.290 --> 04:46.190]  Let's start with the intelligence. So intelligence basically means the process of collecting data,
[04:46.190 --> 04:52.850]  turning into information and producing an assessment that satisfies a previously identified
[04:53.690 --> 05:06.430]  knowledge gap. So you need to obtain the, from the raw data to important information. So normally
[05:06.850 --> 05:12.150]  you can do, everybody can say yeah you can you can do this with the tools but unfortunately
[05:12.750 --> 05:18.690]  tools can only help and your analysts can create intelligence not the tools.
[05:20.070 --> 05:25.150]  An intelligence life cycle, when we take a look to the intelligence life cycle,
[05:25.150 --> 05:31.950]  it starts with planning and direction, then collection, then processing and exploitation.
[05:31.950 --> 05:38.430]  Exploitation here means, doesn't look like the exploitation in the computer science. It is more
[05:38.430 --> 05:47.550]  like clarifying and filtering the information that you need, that make it useful. And then
[05:47.550 --> 05:53.370]  analysis and production and dissemination and integration. Basically the intelligence life
[05:53.370 --> 06:01.870]  cycle consists of these elements. And then if we, if we discuss about the open source intelligence,
[06:01.870 --> 06:08.330]  it is a type of intelligence which is quite useful for adversaries as well as also for you.
[06:09.170 --> 06:14.210]  It is low cost and low impact but it gives essential information about you. So most of
[06:14.210 --> 06:21.250]  the time adversaries are googling on the internet, checking related documents and data about you.
[06:21.250 --> 06:29.290]  But you can also use this as your own beneficial by checking these documents and
[06:29.290 --> 06:35.510]  trying to reduce your threat landscape. Normally these sources can be public relation documents
[06:35.510 --> 06:43.650]  or partnership announcements that you share. Most of the time these documents are not considered
[06:43.650 --> 06:48.850]  dangerous but they are dangerous because they contain valuable information.
[06:49.770 --> 06:57.150]  Company information of course. If the company is a public company and if the company shares
[06:57.150 --> 07:03.470]  monthly or quarterly or, I don't know, annual reports, these reports also have valuable
[07:03.470 --> 07:10.530]  information about the company. Most of the time job descriptions basically leak the technologies
[07:10.530 --> 07:18.370]  of course. And advisories and alerts sometimes also might be related to your systems and
[07:18.850 --> 07:24.910]  give some hints about your systems. And of course your internet connected devices.
[07:25.230 --> 07:33.970]  These are the most dangerous things. So if you continue with the threat intelligence,
[07:33.970 --> 07:39.710]  in simple terms again threat intelligence is analyzing information related to adversaries
[07:39.710 --> 07:44.370]  that have intent, capability and opportunity to harm you.
[07:44.970 --> 07:50.130]  So that specific type of intelligence gives defenders knowledge of the adversary,
[07:50.130 --> 07:55.750]  their actions within the defender's environment and the capabilities as well as their tactics,
[07:55.750 --> 08:02.050]  techniques and procedures. And the threat intelligence is often shared in different
[08:02.860 --> 08:09.750]  methods, for example indicators of compromise, IOCs, as I mentioned tactics, techniques and
[08:09.750 --> 08:17.110]  procedures, TTPs and oftentimes complete report about an incident or an attack.
[08:19.390 --> 08:26.970]  And what do we need to do to identify our threat landscape? Threat landscape is a combination of
[08:26.970 --> 08:33.230]  information attack space, threat groups, industry and non-technical influences. So basically to
[08:33.230 --> 08:37.690]  identify your threat landscape you need to ask yourself who is interested to attack your
[08:37.690 --> 08:45.670]  organization and why, what would be the reason of causing damage and how can they get into your
[08:45.670 --> 08:53.550]  organization. And after you identify the threat landscape you need to reduce the threat landscape
[08:54.210 --> 09:00.710]  and most of the times asset and network identification is necessary to succeed.
[09:00.710 --> 09:07.670]  First of all you need to clarify your external and internal landscapes because you need to focus
[09:07.670 --> 09:15.310]  on your responsibility areas and as well as you would have some connections from third-party
[09:15.310 --> 09:24.510]  vendors or any other third-party service providers etc. Then using known information
[09:25.940 --> 09:34.790]  you need to try to reduce your threat landscape basically by checking these information and
[09:34.790 --> 09:41.770]  trying to prevent any leaking information like that and performing assessments and measurements
[09:42.490 --> 09:49.870]  also with the third-party companies or external companies because sometimes you need to have a
[09:49.870 --> 09:57.670]  second opinion or second eye to check that and after that you need to continue
[09:57.670 --> 10:04.390]  doing these again and again to reduce your landscape. An external threat intelligence
[10:04.390 --> 10:08.990]  is the threat intelligence comes from the specialized teams which can be professional
[10:08.990 --> 10:17.690]  services companies such as Dragos and or it could be from ICS search and other search
[10:18.190 --> 10:25.430]  basically provides indicator of compromises and TTPs and most of the time it is for large audiences
[10:25.990 --> 10:32.650]  it might not be relevant for you but still it is important to follow these threat intelligence
[10:33.290 --> 10:40.490]  reports, but sometimes of course the industry is not relevant for you and you don't need to take
[10:40.490 --> 10:47.830]  an action. But oftentimes ICS threat intelligence are limited, it's really hard to find, especially
[10:47.830 --> 10:55.730]  purely ICS threat intelligence, but when you find it, it's really priceless. And ICS search,
[10:55.730 --> 11:02.450]  multiple ISACs and old ISACs can provide SANS internet storm center, also providing
[11:03.510 --> 11:09.090]  threat intelligence, threat feeds, and reports from vendors and professional service companies,
[11:09.090 --> 11:14.910]  as I mentioned, like from Mandiant or from Dragos, for example, or FireEye.
[11:15.710 --> 11:20.570]  What is internal threat intelligence? Internal threat intelligence comes from your data.
[11:21.050 --> 11:25.570]  It is usable against the current problems in your environment because the data is
[11:25.570 --> 11:30.830]  coming from your environment and after you analyze, you basically realize there are some
[11:30.830 --> 11:37.750]  problems and it's directly relevant to your issues. But it requires personnel in order to
[11:38.290 --> 11:44.490]  do the analysis and it requires specialized skills such as malware and threat analysis.
[11:47.430 --> 11:55.390]  And if you summarize threat intelligence, tactical threat intelligence contains TTPs and IOCs,
[11:55.390 --> 12:01.790]  which are quite useful to add, change and implement your defense, or at least search for
[12:01.790 --> 12:06.670]  intrusions in your environment. And strategic threat intelligence can be used to look
[12:06.670 --> 12:13.270]  overall patterns, suspected attribution, trends and teams. It is also useful to identify
[12:13.270 --> 12:17.310]  where your defense might fail or already failing.
[12:19.070 --> 12:23.630]  So if you go for asset identification and network security monitoring,
[12:24.830 --> 12:30.750]  the purpose and importance of the asset identification is it is really hard to defend
[12:30.750 --> 12:34.890]  if you don't know what you have in your plant, in your facility or in your environment
[12:34.890 --> 12:41.950]  in general. Because if you don't know what's there, you cannot protect it basically. And
[12:41.950 --> 12:46.990]  advanced security solutions that you have also not effective if you can't provide the whole map
[12:46.990 --> 12:56.450]  to defend. So you need to at least provide the fundamental security to have this. And
[12:56.450 --> 13:01.830]  network security monitoring, threat intelligence and instant response usually works better if you
[13:01.830 --> 13:09.450]  have the network knowledge, if you have internal network knowledge. And how do we identify the
[13:09.450 --> 13:15.510]  assets in the ICS network then? We can say first we need to start determining the area of
[13:15.510 --> 13:20.410]  responsibility. Because as I mentioned, most of the times there are some remote connections that
[13:20.410 --> 13:28.570]  you need, you shouldn't include. Because yeah, of course, VPN endpoints on your side, that can
[13:28.570 --> 13:37.550]  count on your responsibility. But still, there are some ways that goes to outbound and not in
[13:37.550 --> 13:44.550]  your responsibility anymore. And then finding and utilizing the existing information. For example,
[13:44.550 --> 13:50.090]  if you already have some network diagrams that you have, you need to start with this, then you
[13:50.090 --> 13:56.030]  can validate non-information. And if it's not sufficient, and if you think you need to, let's
[13:56.030 --> 14:02.110]  say, create a new one, you can try to collect by doing physical inspection, which is normally a bit
[14:02.110 --> 14:08.570]  harder and takes much more time. You can do traffic analysis in your ICS network,
[14:08.570 --> 14:14.950]  passive analysis, that we can also say. We can do configuration file analysis.
[14:15.470 --> 14:21.730]  And we can do active scanning, which is not recommended, except you're, let's say, you are
[14:21.730 --> 14:29.190]  not in the production or if you're in a turnaround, you can do that. But otherwise,
[14:29.190 --> 14:36.530]  it's a bit dangerous. And then collecting the data in all the assets, you need to document it again,
[14:36.530 --> 14:42.050]  in order to have a nicely done diagram and have the old assets.
[14:43.230 --> 14:49.770]  And unfortunately, most of the ICS networks are flat networks. You'll notice that once you've done
[14:49.770 --> 14:58.090]  the asset identification, after identifying the assets, it's often required to have a physical or
[14:58.090 --> 15:05.010]  logical separation or both. It is quite necessary since it makes more difficult to adversaries to
[15:05.010 --> 15:10.690]  pivot in your network. Otherwise, if it's a flat network, normally a game would be over within,
[15:10.690 --> 15:16.490]  let's say, half an hour or one hour. For the active defense concept, it is really crucial
[15:16.490 --> 15:24.410]  because you need to build on top of the good architecture and passive defense. At least for
[15:24.410 --> 15:31.050]  me, the aim would be separating the network as explained in purging model. So it could be a good
[15:31.050 --> 15:38.850]  reference to start with. And then if you want to have more separation, then you can use
[15:38.850 --> 15:46.310]  micro-segmentation, etc. But it is the fundamental for the ICS networks. And network security
[15:46.310 --> 15:53.770]  monitoring is a continuous process to collect, detect, analyze indication of threats in order to
[15:53.770 --> 16:00.710]  respond faster to incidents and attacks in your network. It is threat centering approach instead
[16:00.710 --> 16:06.570]  of traditional vulnerability centering approach. Network security monitoring requires dedicated
[16:06.570 --> 16:13.870]  personnel as analysts. And it also requires preparation for infrastructure and also tools
[16:13.870 --> 16:22.890]  ahead of time. And it brings proactive approach to security and detection of the threats. So
[16:24.010 --> 16:32.310]  you can take some remediations once you identify the issues in your network.
[16:34.170 --> 16:39.690]  And network security monitoring provides visibility and helps you to identify the changes
[16:39.690 --> 16:46.850]  and anomalies. Might not be relevant to only adversaries, but also
[16:48.140 --> 16:51.790]  some misconfigurations for troubleshooting misconfigurations.
[16:51.790 --> 16:58.150]  And it helps you to detect intrusion attempts and movements within ICS SCADA networks.
[16:58.250 --> 17:04.290]  And it can evaluate separation and segregation for levels that you have and zones that you have.
[17:04.610 --> 17:10.930]  And it can help fine-tuning and validating the settings of passive defense elements. For example,
[17:10.930 --> 17:16.790]  checking the firewall rules and to see if it's correctly implemented or missing some points,
[17:16.790 --> 17:23.710]  etc. And it also can help reduce the threat landscape by hardening non-required ports and
[17:23.710 --> 17:28.490]  services. Since you are seeing this when you are doing the network security monitoring and
[17:28.490 --> 17:37.270]  you can instantly take remediation. Network security monitoring is more useful in ICS networks
[17:37.270 --> 17:46.210]  since most of the assets are critical. And most of the times, all the assets or any assets cannot
[17:46.210 --> 17:54.210]  be immediately patched. Because, yeah, we know ICS networks are quite, let's say, untouchable.
[17:54.210 --> 18:02.160]  And then you need to have any other layer to have the protection for your endpoints, etc.
[18:02.590 --> 18:07.790]  And ICS networks have many dependencies and connections, such as enterprise network
[18:07.790 --> 18:14.150]  connection, vendor connections, business applications, contractor VPNs. And it is
[18:14.570 --> 18:20.550]  really valuable to monitor these external parties for anomalies because once your vendor or once
[18:20.550 --> 18:27.250]  your contractor, let's say, compromised, it is just a moment to jump into your network by using
[18:27.250 --> 18:34.870]  these VPNs. And normally, you don't have any vision on these connections without active defense.
[18:35.650 --> 18:38.090]  And detection approaches.
[18:39.550 --> 18:46.490]  Most of the time, what we check is identifying the most used IP addresses and ports used within
[18:46.490 --> 18:53.070]  the network to create basically a baseline, identifying biggest bandwidth users, identifying
[18:53.070 --> 18:59.010]  encrypted communication, because most of the times, command and conquer centers are using
[18:59.010 --> 19:05.290]  encrypted communications. And identifying critical assets and usual traffic is also
[19:05.290 --> 19:13.670]  important to continue on the baseline to have stability on that. And identifying network
[19:13.670 --> 19:21.150]  anomalies, of course, and identifying lowest bandwidth and communication, because sometimes
[19:21.150 --> 19:28.730]  you can see in the network unusual traffic, which could be pretty less than your usual levels.
[19:28.730 --> 19:35.310]  And of course, you need to identify exfiltration. You need to check that
[19:36.730 --> 19:42.070]  when you are doing the detection. And asset identification and network security monitoring
[19:42.070 --> 19:46.710]  takeaways. Asset identification and network security monitoring is the key
[19:47.370 --> 19:52.770]  for active defense concepts. Network security monitoring is a great approach for ICS because
[19:52.770 --> 20:01.670]  most of the ICS networks are quite stable. And basically, once you create a baseline, it is
[20:02.370 --> 20:10.430]  easy to, let's say, monitor. And these two elements support implementation of
[20:10.430 --> 20:15.870]  better architecture and passive defense. Once you implement that, yeah, you can take a look
[20:15.870 --> 20:22.750]  back and you can, let's say, improve your basic fundamental security also.
[20:22.770 --> 20:28.270]  Detection often relies on the sensors in the ICS network. You need to be sure that
[20:28.270 --> 20:36.650]  you need to detect the baseline changes, anomalies, and IDS rules. Because these can
[20:36.650 --> 20:41.470]  basically warn you when you are doing the detection. And logs and visibility are really
[20:41.470 --> 20:51.310]  important. But yeah, you need to have an analyst to, let's say, contribute value on that. Because
[20:52.110 --> 20:58.750]  by itself, logs and visibility doesn't give you the chance that you can prevent. And analysts
[20:58.750 --> 21:05.490]  need to follow it constantly and verify it if there is an anomaly. And network security
[21:05.490 --> 21:10.530]  monitoring will eventually lead to instant response. You need to be ready for instant response.
[21:12.170 --> 21:18.730]  By saying that instant response for ICS, it is a bit different comparing to
[21:19.590 --> 21:29.230]  usual IT instant response. Because you cannot simply bring down the systems during the
[21:29.230 --> 21:35.310]  instant response when you're working on ICS networks. And the focus is a bit different
[21:35.310 --> 21:40.470]  by saying that maintaining safe and reliable operations is the most important thing.
[21:40.470 --> 21:46.850]  Acquiring meaningful forensic data within a limited time. Performing a timely analysis.
[21:46.850 --> 21:51.710]  And containing and eradicating the threats. Basically, these are the four elements that
[21:51.710 --> 22:00.460]  you need to follow when you're doing the ICS instant response. Before that, preparation.
[22:00.460 --> 22:05.640]  There are some steps that you need to follow. Preparation, same as traditional IT, but with
[22:05.640 --> 22:10.980]  some limitations such as testing tools, testing methods, but in a lab. Integrated detection and
[22:10.980 --> 22:15.020]  identification. Working with network security monitoring team to implement rules and detection
[22:15.020 --> 22:21.240]  capabilities, which is tailored to your threats in order to identify impacted systems.
[22:21.560 --> 22:29.440]  And evidence acquisition. Normally, you don't have that much time, like on IT side,
[22:29.440 --> 22:36.180]  you don't have that much time to do forensic analysis because you cannot stop the operations.
[22:36.880 --> 22:41.980]  Here, the focus is maintaining operations while acquiring enough evidence to perform later.
[22:42.940 --> 22:49.400]  You'll do the forensic analysis later. And time critical analysis using fast and well-tested
[22:49.980 --> 22:56.560]  techniques to quickly determine the overall impact to the operations.
[22:57.340 --> 23:04.240]  And supported activities. IR teams mostly share information and evidence. All the evidence should
[23:04.240 --> 23:10.880]  be passed to other teams to begin deep analysis and continue on the active defense cycle.
[23:10.880 --> 23:15.060]  Containment. Preserving the operations by collaborating with other teams,
[23:15.060 --> 23:21.800]  operators, and also engineers on the field. Eradication and recovery. You need to neutralize
[23:21.800 --> 23:26.180]  the threat by, for example, reimagining the system, reinstalling known good software,
[23:26.180 --> 23:32.840]  implementing patches. And then you need to provide the lessons learned, which is documents,
[23:33.800 --> 23:40.060]  finding for all, pass information to the network security monitoring team in order to identify and
[23:40.060 --> 23:46.580]  see if there is any reinfection, etc. And how do you prepare an incident response team?
[23:47.480 --> 23:51.520]  You need to determine the requirements and dependencies within your facility.
[23:51.820 --> 23:58.600]  For example, uptime, availability, and specific systems you need to take care. You need to decide
[23:58.600 --> 24:03.500]  if it's going to be in-house or outsourced. There are some advantages on both sides.
[24:03.500 --> 24:13.220]  But you need to decide, at least have a couple of people in your facility to do it more faster.
[24:13.420 --> 24:18.440]  A team size three, four well-trained people on site would be enough to cover, but you also need
[24:18.440 --> 24:24.120]  to think about the shifts, etc. So in total, it needs to be at least eight to 10 people.
[24:24.320 --> 24:28.640]  So chain of command is really important because there will be chaos and someone needs to
[24:29.480 --> 24:35.880]  communicate with the management team, etc. And it should be incident response director.
[24:36.100 --> 24:42.220]  Then all the evidence and incident handlers need to report to lead responder. And the chain of
[24:42.220 --> 24:48.740]  command needs to go up and down like this. And to build your ICS incident response team, you need
[24:48.740 --> 24:56.060]  to find the right personnel. Of course, it's the hardest part because incident response is really,
[24:56.060 --> 25:05.020]  to focus and develop yourself. And then also you need to take care of your jump kits because
[25:05.580 --> 25:13.180]  often jump kits, when you need it during the incident, most of the time you are losing some
[25:13.180 --> 25:19.520]  parts from the jump kit. It's easy to borrow from the jump kit. And then when you go to the incident,
[25:19.520 --> 25:25.780]  you are missing a couple of hard disks, etc. when you need it over there. So it's important.
[25:26.060 --> 25:34.380]  So evidence acquisition, you need to take care of the order of volatility.
[25:34.900 --> 25:41.580]  And you need to decide if it's going to be local or remote acquisition. I would prefer local because
[25:41.580 --> 25:51.000]  it's less risk and faster. The tools should be tested before on the systems because we are not
[25:51.000 --> 25:56.800]  talking about regular IT systems. Acquisition should be coordinated with all involved personnel
[25:56.800 --> 26:01.880]  and you need to discuss beforehand when you are touching any field device with engineers and
[26:01.880 --> 26:08.900]  operators. You need to gather all the evidence if the time permits. You need to start from registry
[26:08.900 --> 26:17.060]  and then any memory and then taking the disk images, for example. And you need to take necessary
[26:17.060 --> 26:24.340]  photos in order to see on the, let's say, devices. If you see any command prompt, you need to
[26:25.020 --> 26:33.540]  have an evidence because once you turn it off, you will lose it or you can lose it in any second.
[26:33.560 --> 26:36.540]  And all the data should be analyzed in an approved facility.
[26:37.660 --> 26:43.920]  What are the sources for the forensic data in ICS networks? Highly volatile data, system memory,
[26:43.920 --> 26:50.260]  network information, and system processes, and VPN connections, and these logs, and registry
[26:50.260 --> 26:59.520]  hives, HMIs, mostly Windows computers and you can have system logs, etc. Engineering workstations,
[26:59.520 --> 27:06.100]  controllers such as PLCs and RTUs, and sometimes virtual resources such as
[27:06.100 --> 27:12.700]  VMs and cloud environments if it's connected. And you need to do the high quality instant response
[27:14.420 --> 27:19.440]  in a timely manner. It's really important in ICS when you are doing this.
[27:19.600 --> 27:22.920]  Timely analysis is important to keep operations safe and reliable.
[27:23.260 --> 27:29.560]  It should focus on understanding the scope and then the type of incident. And the baseline
[27:29.560 --> 27:35.380]  information comparison will be really helpful when you do that. And focusing on the new connections
[27:35.380 --> 27:42.600]  in the bandwidth, new routes, anomalies in the VPN connections,
[27:42.600 --> 27:50.100]  registry keys, spawn processes, you need to check these first. And I said identification and network
[27:50.100 --> 27:58.160]  security monitoring help to respond quickly. And utilize good tools to reduce the analysis period.
[27:58.160 --> 28:02.700]  This is also important. You need to do the practice before going to the real incident.
[28:03.540 --> 28:09.260]  And how do you use threat intelligence in the instant response? Indicator of compromise
[28:09.730 --> 28:16.140]  to scope the infected systems. Then after that, you need to identify the network data on host.
[28:16.220 --> 28:24.580]  And TTPs to identify adversary efforts. And you need to utilize and ensure threats are gone after
[28:24.580 --> 28:33.360]  you've done the incident response. And instant response takeaways. You need to focus on providing
[28:33.360 --> 28:38.420]  actionable information about the scope of the threat and its potential impacts while you are
[28:38.420 --> 28:43.680]  acquiring the evidence without breaking operations and safety. ICS instant response
[28:43.680 --> 28:49.720]  should be tailor-made. It's a bit different than the IT, as I mentioned. Efforts must align with
[28:49.720 --> 28:55.460]  the goals and requirements of the operations. This is the first priority. Preparations should
[28:55.460 --> 29:01.880]  be done ahead of time. You really need to practice before it really happens. And acquired evidence
[29:01.880 --> 29:07.540]  and lessons learned should be shared with other personnel. So once you get evidence, you need to
[29:07.540 --> 29:17.340]  share it to move forward the active defense cycle. And let's summarize this. Taking the
[29:17.340 --> 29:23.700]  advantage of the found threats. Once you complete the instant response, if we can safely interact
[29:23.700 --> 29:28.700]  and understand with the threat, we can have the best source of defense information from the
[29:28.700 --> 29:34.920]  adversary's best capability. We can feed the active cyber defense center with the found threat
[29:34.920 --> 29:41.140]  intelligence to build better defense. It is important to identify and use indicators of
[29:41.140 --> 29:47.600]  compromises from the threats to help instant response. And understanding the malware's tactics
[29:47.600 --> 29:52.620]  to identify weaknesses in the current ICS architecture is valuable because after that,
[29:52.620 --> 30:01.080]  you need to improve your architecture. So these steps are really valuable. And my last presentation
[30:01.080 --> 30:08.000]  is about lessons learned sessions for long term success. For the success of active cyber defense
[30:08.000 --> 30:13.980]  cycle, lessons learned should be shared between the teams internally. And also necessary actions
[30:14.730 --> 30:21.360]  needs to be taken to build better defense. And after that, either during the incident and after
[30:21.360 --> 30:27.280]  the incident. And after that, once you share it internally, it's also recommended to share
[30:27.280 --> 30:34.720]  your lessons learned in an appropriate way with the ICS community because if you had that threat,
[30:34.720 --> 30:40.400]  someone else might get this soon. So it is really important and valuable.
[30:42.080 --> 30:47.600]  And yeah, I think I'm just on time. Thank you very much for listening to me. If you have any
[30:47.600 --> 30:55.640]  questions, either you can send me a message on LinkedIn or Twitter or you can ask now. Thank you.
[30:56.180 --> 30:57.280]  John, this is...
[31:04.960 --> 31:12.540]  Okay, so everybody look forward to see John and ask questions and all sorts of different things.
[31:12.800 --> 31:16.540]  On the DEF CON discord server, we're in the ICS village subgroup.
[31:17.200 --> 31:20.020]  And John, thank you very much. That was a fantastic presentation.
[31:20.020 --> 31:22.360]  Thank you. Cheers, bye.
